Loose Lips Might Sink Ships – The Conundrum of Social Communication

Loose lips might sink ships is a propaganda idiom originated during World War II to bring awareness to the hazards that may be caused by careless talk of subject matter that could be potentially vital information to the enemy. As a US Navy veteran, I take this to heart and do my best to protect corporate data no matter how insignificant it may seem. However, social communication sites such as Facebook, Twitter and YouTube provide new avenues of personal sharing in a social context that could have considerable ramifications in a professional context.

The other day I was talking to somebody about the challenges of publicly available communication sites and concerns on how to secure professional content from being openly shared. In many cases employees use the before mentioned sites to communicate internally or externally and often times may be sharing sensitive corporate data on these sites — not with the intent of being malicious, but because it seems like the right way to share information or they want to circumvent IT placed restrictions. He then shared a story with me of a coworker that posted a simple status update to a social site, something to the affect of “Have the day off tomorrow, project on hold. Wahoo!”. Just so happens this person was on the same project and wasn’t aware it had been placed on hold, so he contacted his manager to see if in fact the project was on hold. The manager, alarmed by the question, escalated to the director who immediately questioned this person on how/where they got their information. He didn’t wish to get anybody in trouble, but was put in the precarious position of being in the middle of his co-worker/friend and upper management. As it turns out, the concern from management was justified as the client was in the early stages of a restructuring that hadn’t been announced and positions were going to be affected. Had there been a preannounce of this information (even without intent) the implications could easily have stretched into a substantial liability for the company.

There have also been countless examples of people trying to hide behind the curtain of anonymity with communication vehicles and failing miserably. Who can forget the story a couple years ago on How Not to Get a Job Via Twitter, in which somebody publicly talked about receiving a job offer, then questioned if it was worth doing a job they didn’t want for a “fatty” paycheck. More recently the story of a how the Secret Service bashes Fox News on Twitter because a user thought they were posting to a personal account demonstrates the need not only for policies, but also policy enforcement. In this case, an anonymous user sent a message under the title of Secret Service that was representative of the entire Secret Service in a less then positive way. A quick search of the web will bring up countless other stories and even more; such as calendar information being shared publicly with details such as dial-in and access codes to internal company meetings.

Customers I speak with have different ways of protecting corporate data from public sites, some turn off access to known sites, but it is difficult to scale and manage the existing and new public access sites as they appear. Others limit the types of files that may be uploaded to an outside site, these approaches may be easily circumnavigated by the technical savvy user. I believe the most effect recourse is education. Communicating documented stories of how loose lips might sink ships is a great way to drive awareness to the cause and make people think twice about the information they share publicly. There are many vehicles can use internally to spread the word– intranet postings, e-mail, enterprise social software communities, videos, blogs, and voice mail. The greater the level of awareness, the greater the level of responsibility.

What are you doing to protect corporate data from public eyes? Most everybody will brag about having a day off, but how do you keep them from revealing to much when asked why? What are your thoughts about the separation of personal and professional social sites and how to maintain that separation for the good of the company?

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

This is a great reminder that all security is human. I'm a huge proponent of transparency in organizations, but I'm also a realist. (My students help me stay that way.) Yes, especially with more and more opportunities for data analytics, let alone good sleuthing, we need to be aware that our communications have implications.
You highlighted the best answer to the problem: "I believe the most effect recourse is education." That said, given data analytics and the ability to draw implications from a vast array of sources, it may also be that we need to shift our strategies to those that don't rely on secrecy. It may just not be an option moving forward.

Thanks for the comment Terri. I think you've summed things up nicely with "all security is human". I'm continually surprised by the nuggets of information people will protect in their "real life", but openly broadcast in their "virtual life". I'm not saying people need to become digital recluse, but do need to give thought to and consider the consequences of posting something in the Internet ether. We should realize that anything posted publicly (be it text, photos, or videos) is now uncontrolled and can be passed around freely to anyone. Furthermore, we should also assume that it'll be available to anyone forever after. Rule of thumb- if you don't want a tidbit to come back to haunt you, think twice about posting it.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.